How to Super Secure Your Sitefinity CMS Website and Be Safe
Security has always been one of the most important features of any web application or Sitefinity CMS application. Sitefinity implements security that is based on the ASP.Net model and the prime goal behind this decision is that the ASP.NET developers should always feel comfortable while working with the security API.
The Sitefinity CMS Administrative Web Interface is accessed with /Sitefinity to the website URL. It is then that the users are asked to provide a specific and valid username and password that helps to gain access to the CMS. Since in the past few years there has been an increasing trend of cyber attacks, security has become a high priority item on any organization’s agenda.
In this blog, we will discuss how you can add some extra layers of security to your Sitefinity development process and backend login page by using some of the out of the box security features and ASP.NET mechanism and protect your data and your site.
Create a Strong Password Policy:
With plenty of password cracking tools available that will help to create variations, it is now easier to create various login attempts. And within several hours or days, such automated tools will finally stumble over a valid password and pick the right one for the attack. Here are some important password guidelines:
- Your password should be of at least 8 characters long and the longer the better.
- It should be a mixture of letters and numbers
- It should be of mixed case
- It should not be a common word that is very easy to guess
A good password often makes it very difficult to choose the right combination of letters or numbers. The first step that can be taken to protect your Sitefinity website is to choose a strong password policy so that you can also have a complete control on the password policy settings on a membership provider level.
Add a Server Signing Certification for the IdentityServer:
Sitefinity CMS comes with a lot of out of the box features like IdentityServer. This has brought a lot of flexibility and security improvements. By default, Sitefinity uses a X509 certificate that helps to sign the identity and also JWT access tokens that are issued by the IdentityServer.
This helps to prevent the attackers from counterfeiting the security tokens that helps to gain unauthorized access to the federated resources. You can also configure your website to your own private certificate instead of using the default one.
Turn Off the Auto-Complete Option for the Login Page:
Autocomplete option often comes handy for the developers since they don’t want to bother remembering the password and the username that is created. Once it is in production, it is better to instruct the browsers not to consider the autocomplete option.
However, the username field is of great importance as an attacker who is exploiting the autocomplete option can easily achieve the privacy violations via harvesting email addresses or username. Sitefinity allows you to easily customize the backend login page and set the autocomplete as off for the input fields or the form.
Leverage the Web Security Module:
Sitefinity CMS offers a powerful Web Security Module and it comes with a fine tuned security setting and this was introduced in version 11. In case you have not activated the security module, then go ahead with it as it offers advanced protection against MITM, content sniffing, XSS and etc.
Related Blog: How to Make Sitefinity Backend More Secure